Tuesday, February 26, 2008

There's a new data point for organizations struggling to figure out what impact data exposure has on a business' bottom line. According to a study from the Ponemon Institute, described in this article, the average costs of an information security breach in the UK is about 47 pounds/record (about 103 dollars/record at current exchange rates). This is much less than the 197 dollars/record figure from a different Ponemon study from last year, which I described in this post. Why the discrepancy? My immediate thought is data underlying sets. The more recent study is focused on the UK, while the previous study was not. On the other hand, it's also possible that the previous study simply overestimated the costs of a breach. At this point, my guess is that the discrepancy is based on a combination of the two factors, but that the actual cost is closer to the lower number, a conclusion I draw in part because of the relatively low per record cost associated with massive breaches, something I wrote about here in the context of the TJX case.

Sunday, February 24, 2008

Computer World has an article up about online personal health records (PHR) systems, and a report which claims that they pose risks to consumer privacy. The premise of the report (and the article) is intriguing: online PHR systems could be a new type of business model which might undermine privacy and security rules governing traditional health care providers (particularly HIPAA). Happily (from a privacy standpoint), both the article and the report it is based on fail to make a case that PHR systems represent a new, serious hole in the privacy regime created by HIPAA. The biggest problems I had are that the report simply assumed that PHR systems are outside of HIPAA, and that it assumed that PHR systems which fall outside of HIPAA aren't required to comply with HIPAA's regulations. First, I'm not sure how many PHR systems actually fall outside of HIPAA. HIPAA doesn't just cover health care providers, it also covers health plans and health care clearinghouses. Before I become excited about PHR systems evading regulations covering health care providers, I would want to know whether they systems in question are part of one of the other categories of covered entities under HIPAA. Second, even if a PHR system isn't a covered entity under HIPAA, it might be required to comply with HIPAA due to its contracts with entities which are covered entities. Indeed, the HIPAA rules specifically require that covered entities enter into such contracts with certain of their business associates (e.g., 45 C.F.R. 164.314(a)(1) "Business Associate Contracts and Other Arrangements"). Again, the report simply didn't consider to what extent the hypothetical hole in HIPAA might be closed by the business associate portions of the regulations.

As a note, none of the above is meant to say that there aren't privacy risks involved in online PHR systems. For example, as the report notes, PHR systems represent one more repository of data which is subject to security breaches. Further, when you transmit data to such systems, it might be captured, either via snooping on a network, or via software like a keystroke logger installed on a local computer. However, neither of those risks have anything to do with HIPAA, and would be the same even if PHR systems were undeniably covered. Thus, while there are privacy concerns with PHR systems, the article didn't make the case that a HIPAA loophole is one of them.

Sunday, February 17, 2008

Here's an interesting article about a consumer who has used a data exposure notification law for an novel purpose: punishing an electronics distributor for bad customer service. What happened was as follows: 1) Raelyn Campbell brings her laptop into Best Buy for service.2) Best Buy loses laptop.3) Raelyn contacts best buy asking when her laptop will be ready.4) Best Buy gives Raelyn the runaround5) Steps 3-4 repeated for four months.6) Realyn sues Best Buy...for $54,000,000.So where's the privacy angle in all this? It turns out, that the sequence of events describes above should have included a step 2a) Tell Raelyn that her laptop, which contained her tax returns, was lost. The reason (other than the fact that it's the right thing to do from a moral and customer relations standpoint) is that such notification seems to be required by the District of Columbia's security breach notification act. That law, which it appears that Best Buy did not comply with, is the basis for Raelyn's $54,000,000 suit.

The next question, of course, how much this is going to end up costing Best Buy. The short answer is: not $54,000,000. The relevant statute does authorize individuals to file suit against entities who have not complied with the statute's requirements (see here). However, it allows a recovery of actual damages plus costs (including attorney's fees), and Raelyn admits that the $54,000,000 figure was pulled out of the air for the purpose of making a statement. However, Best Buy isn't going to get off cheap either. When Raelyn originally learned that the laptop had been lost, she offered to settle with Best Buy for $2,100. As an attorney, I can safely say that Best Buy will spend more (likely much more) in legal fees just dealing with the case. Moreover, there's the cost of actually paying Raelyn's damages (cost of the laptop and any data stored on it, time wasted trying to get the laptop back, attorney's fees, and court costs). All in all, my guess is that before the end of this suit, Best Buy will institute a policy of simply replacing lost laptops for customer in states with security breach notification laws that allow for individual suit.

If that prediction turns out to be correct, it would be a powerful example of how allowing consumers to protect the security of their own data can have beneficial effects beyond consumer privacy (in this case improving customer service); something to consider when people ask why they should care about the privacy of information.

Monday, February 11, 2008

Wired.com has an article up about a startup called Credentica, which uses multi-party computation to allow people to verify information about themselves (e.g., age) without sharing that information, thereby eliminating data leaks which can lead to identity theft.

While the technology of the new service is neat, the headline of the article asks what I believe is an important question: Does Anyone Care? As discussed here, studies show that people always place greater value on even small amounts of money than they do over the privacy of their personal information, meaning that even a startup with a great new privacy protection product is likely to have a tough time in the market. In my opinion, that's too bad. To my mind, protecting your personal information is like playing poker against the world with all your cards exposed. Perhaps my profession as an attorney makes me more vigilant about privacy than other people, after all, lawyers have affirmative duties to protect information. One great example of those duties is this opinion which states in part that

The employees of the public defender's office must be the only individuals who have access to client information, including that which is stored on the computer system. If any component of the computer system is linked or somehow shared by other county offices, the public defender must take whatever reasonable and necessary precautions there are to ensure that this information cannot be accessed by the other offices. This is the public defender’s primary responsibility in this scenario. If the public defender is not satisfied that client confidentiality can be secured, then the ethical alternative is to either maintain a separate computer system from the other county offices or discontinue storing client information on the shared system. (emphasis added)

In other words, for lawyers, if a system isn't secure, it shouldn't be used to store client information. If all individuals had this same type of regard for data privacy, companies like Credentica would be almost sure to succeed. However, my experience, backed up by empirical data, is that most individuals have little to no regard for their personal data, which means that companies like Credentica, even if they have a great product, will likely have a difficult time in the market.

Friday, February 8, 2008

New federal rules require all creditors - financial institutions, retailers, utilities, car dealers, and other organizations that extend consumer credit or hold consumer accounts - to develop and implement a proactive Identity Theft Prevention Program. An identity theft prevention policy and program must be adopted and operating no later than November 1, 2008.

Federal regulators were required by the FACT Act of 2003 to issue regulations that implement Section 114 of the Act. This section amended the Fair Credit Reporting Act to require financial institutions and other creditors which maintain consumer accounts to adopt and maintain a written Identity Theft Prevention Program. This Program's purpose is to detect, prevent, and mitigate identity theft in connection with the opening of accounts maintained for personal, family or household purposes, so long as the accounts permit multiple payments or transactions. Examples include credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts or savings accounts.

The applicability of the new regulations are not limited to consumer accounts. They also apply to any other account that is offered or maintained by a creditor where there is a reasonably foreseeable risk of identity theft, such as business accounts held by sole proprietors that can be opened or accessed remotely.

The new regulations provide financial institutions and creditors with flexibility in developing their programs according to their relative organizational size and complexity. However, the Program must include reasonable policies and procedures that:

" identify relevant Red Flags, and then incorporate those Red Flags into the Program; " detect such Red Flags; " respond appropriately to any Red Flags to prevent and mitigate identity theft; and" ensure that the Program is updated periodically to reflect changes in risks to customers

What are these "Red Flags"? The regulations define them as a "pattern, practice, or specific activity that indicates the possible existence of identity theft." However, the concept is fleshed out considerably in the supplementary materials to the regulations. The federal regulatory agencies have adopted Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation. These Guidelines provide policies and procedures that can be used, where appropriate, to satisfy the regulatory requirements of the rules.

Once the Program has been established, each financial institution and creditor must administer the Program. This involves having the board of directors or an appropriate committee of the board approve the initial written Program, and that the board, an appropriate board committee, or a designated member of senior management be responsible for the oversight, development, implementation and administration of the Program. Additionally, training of relevant staff and effective oversight of third party service providers with respect to the Program is also required. Financial institutions covered by the Red Flag Identity Theft Rules are subject to oversight by the appropriate federal banking regulators, and for those creditors that are not federally regulated financial institutions, the Federal Trade Commission provides oversight. Besides regulatory enforcement actions, violations of the FACT Act can subject the financial institution or creditor to civil actions for damages. The type and amount of damages available will depend on whether the violations are determined to be "negligent" or "willful."

These new regulations will require formalizing practices that one hopes most reputable businesses currently follow with respect to being alert to potential fraud. The requirements are largely common sense, and address the need for both sides of the consumer credit equation to be alert to protecting one's identity.

Sunday, February 3, 2008

Well, last week I got a message from the Georgetown Information Security Office. Apparently, a hard drive was stolen which contained information from students enrolled between 1998 and 2006, as well as some faculty and staff. The message said that no credit card information or other financial data was exposed, but that personally identifiable information of some students (and faculty and staff) was stored on the hard drive. We were reassured that there was no evidence that any of the information had been misused, but were cautioned to place a fraud alert on our credit reporting accounts just in case.

For me, the advice to place a fraud alert was a bit late, since I've had credit monitoring ever since someone (not me) opened a bank account in my name almost a year ago. Of course, I could do more (like place a freeze on my account), but, frankly, my risks are low enough that I don't see any need to it. Of course, there are still two things I'm curious about:

1) Why was the data stored on a hard drive that could be easily stolen (I'm guessing on a laptop)?

2) Why wasn't it encrypted (of course, the message didn't say it was unencrypted, but if it had been, you can bet that would have been mentioned)?

You'd think that in this day and age, an organization the size of Georgetown wouldn't store sensitive data on easily stealable hard drives, and would keep it encrypted as a matter of course.

Contributors

Other Sites

Privacy Statement

The authors value the privacy of their blog viewers. This site does not currently collect personal identifying information ("PID"), except: (1) to the extent that your browser provides PID, like your e-mail address or the site you linked from, to this site's server; (2) to the extent that you provide PID to this site in an e-mail; and (3) to the extent that you provide PID to this site in a CGI form (for example, when you complete a search request on this site’s “Search this Site” search feature. Your PID will be used only for the specific purpose for which you submitted the PID, except that it may be used in an aggregated form to gauge the popularity of this site. "Cookies" are pieces of information that some web sites transfer to the computer that is browsing that web site, and are used for record-keeping purposes at many web sites. Use of Cookies performs certain functions such as saving your passwords, lists of potential purchases, and your personal preferences regarding your use of the particular web site. This site uses Cookies to gather anonymous traffic data. Your browser is probably set to accept Cookies. However, if you would prefer not to receive Cookies, you can alter the configuration of your browser to refuse Cookies. This site contains links to other sites. The authors and their employers do not share your personal information with those sites and are not responsible for their privacy policies. We encourage you to learn about the privacy policies of those entities. Children under 13 years old are not the target audience of this site. To protect their privacy, the authors prohibit the solicitation of personal information from these children. The authors reserve the right to change this Privacy Policy at any time by posting a new privacy policy at this location. You can e-mail any further questions to wmorriss@fbtlaw.com.

Disclaimer

This site is provided for informational purposes only. The views expressed herein are solely those of the authors and should not be attributed to their employer or their clients. These materials do not constitute legal advice and do not create an attorney-client relationship between you and us. Please note that you are not considered a client until you have signed a retainer agreement and your case has been accepted by us. This site should not be used as a substitute for competent legal advice from a licensed professional attorney in your state. Got it? THIS SITE IS "AS IS." WE MAKE NO REPRESENTATIONS AS TO THE ACCURACY, TIMELINESS OR COMPLETENESS OF THE STUFF HERE AND YOU SHOULD NOT RELY UPON IT. USE AT YOUR OWN RISK. WE EXPRESSLY DISCLAIM ALL WARRANTIES. This may be an advertisement. Your mileage may vary. Past performance does not guarantee future returns. Do not run with scissors.
NOTE: This disclaimer is largely taken from the established and extremely well written blog Patent Baristas.